I don’t feel a tinge of anxiety each time a new order rolls in — said no online business owner ever.
Ecommerce is a blessing for entrepreneurs, but so many things can go wrong with online payments. For all their seamlessness, e-payments are incredibly prone to cyberattacks, affecting businesses as much as customers. According to Statista, eCommerce losses due to online payment frauds jumped over 100% in 2022 from last year. Customers have multiple fallback options to protect them from fraudulent transactions, but merchants are not so lucky—the burden of security is on owners to protect their businesses.
This article will cover what constitutes online payment fraud and how businesses can stop malicious agents from bleeding them dry.
What are payment frauds?
Payment fraud is any type of fraudulent activity that exploits the online payment mechanism that businesses and customers use today. It’s much more sophisticated than most users think, which is why it’s so popular among cybercriminals. Businesses that become victims of payment fraud face three types of challenges:
- Loss of money and sensitive data
- Loss of merchandise in case of chargeback fraud
- Loss of customer loyalty and brand reputation
With the influx of remote work, B2B transactions, online shopping, and monthly subscriptions, payment fraud will only increase in the coming years. According to the Merchant Risk Council, merchants already spend 10% of their revenue fighting online payment fraud alone!
Most popular types of payment fraud
To protect your business from payment fraud, you must first understand the myriad ways criminals can attack your business.
Phishing is the most common type of fraud that exists today, and we all have seen it at work in some form or the other. Victims receive fraudulent emails or spam messages from hackers impersonating businesses and are tricked into sharing sensitive data. These messages contain malicious links and malware attachments that can take over customer accounts, place high-value orders, damage devices, or steal money.
Hackers study your business carefully to successfully deceive customers and mimic it down to fonts and language styles. They try all sorts of alerts that can trigger a response—order tracking links, delivery confirmation, and even account issues. Criminals posing as your brand is bad for business. What’s also bad for business is the throng of disgruntled customers who just got their wallets emptied.
Identity theft is not a matter of joke—millions of people suffer every year.
Hackers take over identities by exploiting the victims’ personally identifiable information (PII). They might have nothing to do with your business while executing the fraud. Still, once hackers get hold of a person’s private data, they can use it to deceive businesses the person buys from or create new accounts on websites that have weak payment security.
Almost 30% of identity theft reports in 2021 were used for credit card fraud, meaning businesses must be extra cautious about unusual orders and new accounts. If your business has clients who have dealt with this kind of fraud, raise awareness through this guide on how to recover from identity theft.
We don’t even need to visit websites to place orders these days. Telegram and WhatsApp already allow in-app shopping, and various wallets such as Apple Pay and Google Pay make it incredibly convenient to pay online. But with great convenience comes greater risks.
Man-in-the-middle fraud intercepts transactions as they happen and wirelessly steals data packets or alters them. With more options for users to pay, hackers can target platforms that are easier to infiltrate and steal money from both customers and businesses.
Pagejacking is another stealth attack that works closely with phishing. With pagejacking, hackers create a fraudulent version of your website and redirect users to that page. These types of pages are replete with malware, and users end up sharing sensitive data without even knowing it.
Pagejacking is mostly used to create morphed versions of popular websites and trick people into using them instead of real ones.
Merchant identity fraud
Merchant identity fraud takes the fight directly to the merchants and toys with their reputation. Criminals create fake merchant accounts to charge stolen credit cards, and when cardholders request a chargeback, the real merchants have to bear the brunt of it.
Refund fraud, also known as friendly fraud, is one of the biggest challenges eCommerce businesses face today because the offender here is not a hacker but the customer itself. Refund fraud works like this: a legitimate customer buys a product, receives it, and promptly asks for a refund citing they never received it.
Companies like Apple Pay, PayPal, and GPay have strong buyer protection protocols to entice new customers, but these protocols are often abused at the cost of other businesses. It becomes a guessing game for merchants to determine if a refund request is legitimate or part of friendly fraud.
Similar to refund fraud, chargeback fraud can be a part of friendly fraud, but it’s also possible your customer has no idea about it.
After getting hold of account or card data from one of your customers, hackers can place a high-value order, receive it, and file a chargeback, citing they placed the order by mistake or never received the package. In most cases, they don’t bother filing a chargeback, so the cardholder files the chargeback after finding the unauthorized transaction. In both cases, the onus lies with the merchant to return the money back to the cardholder.
8 ways businesses can avoid payment fraud
Payment frauds are on the rise, and fighting against them may feel like a losing battle. But with proper knowledge and defense weapons in your armory, you can protect your business from hackers and malicious customers.
1. Use a strong know-your-customer (KYC) mechanism
Most regulated businesses use a “know your customer” (KYC) process, and for good reasons. KYC allows businesses to gather insights on their customer bases—from user authenticity to trusted devices. Since most payment frauds can be traced back to customers (victim or offender), it’s good to know them in detail.
For online businesses, eKYC or mobile KYC is best implemented during onboarding. On top of the protection against new account fraud (NAF), you can use the data to improve cart abandonment and lead generation.
2. Brush up payment knowledge
You don’t have to be a pro at payment technicalities, but knowing how online payment flows is good if you’re part of an eCommerce business.
When a customer places an order, the card information is sent to the payment processor or acquirer that relays the information to the card network (Visa, MasterCard, etc.). Once the card network authenticates the card, it’s then sent to the customer’s bank to check if sufficient funds are available. If everything’s alright, the payment is then connected to the merchant’s account. The entire flow connecting the checkout page to the merchant’s bank is called the payment gateway.
Online businesses must have rule-based fraud protection (if A happens, then do B) and machine learning to detect payment fraud, and fundamental knowledge can help you in major ways.
3. Secure payment gateways
The security of your payment getaway determines how protected you are against online payment fraud. Most business owners fail to implement tools that can detect fraudulent transactions. Here are the five steps you can take to upgrade payment gateway security:
- Address verification service (AVS): AVS verifies the billing address against the card address and allows the payment to go through when there’s a match
- Card verification value (CVV): If AVS fails, CVV takes up the responsibility. CVV is a 3-digit code printed on the back of a credit card, and it’s a crucial piece of information against payment fraud.
- Risk profiling: Risk profiling tools can help you see payment fraud from miles away. They use historical and behavioral data, risk countries, and device usage to establish authentic transactions.
- Device fingerprinting: Device ID allows businesses to flag transactions that originate from unusual devices, potentially stopping fraud at the beginning.
- 3D Secure: 3D secure is a new online payment standard most fintech companies adopt. It adds a new layer of PIN to verify users and is one of the most effective ways to secure your payment gateway.
4. Look for signs
Most credit card frauds are preceded by certain behaviors—you detect the signs, you prevent the fraud. Some of the prevalent anomalies are a sudden spike in usage, higher-than-usual order values, website access from unregistered or unusual locations, cross-border requests, IP address discrepancies, and credit alerts. With a proactive approach to online security, you can protect your business.
5. Enforce security compliance
If you’re an online business or have anything to do with eCommerce payments, you must comply with Payment Card Industry Data Security Standard (PCI DSS). It’s the single most important payment standard that can mitigate damages in case something goes wrong. One of the fundamental ideas of PCI DSS is minimizing data footprints to avoid payment data leaks. Other parameters include firewalls, data encryptions, access logs, and policy documentation.
6. Restrict, compartmentalize, and tokenize user data
Thriving eCommerce stores have security baked into their business model. You can prevent data leaks and online payment fraud by implementing stronger and more modern data governance policies. First, restrict the amount of data you collect to only fundamental contexts, and use silos to hide sensitive data. Finally, use tokenized credit card details to hide original data and offload the responsibility to the payment processor. For instance, never store customer CVVs in their original forms in your database.
7. Use strong encryption
You’d be surprised to know how many online businesses fail to enforce strong encryption, which often leads to payment fraud. In the wild west of online shopping, 256-bit AES will secure your transactions and protect business emails from being intercepted and exploited. Although encryption is part of the PCI DSS standard, it merits a closer look by companies.
8. Use a secure payment environment
If you’re still here with us, you must have now realized your knowledge about online payment matters as much as the payment partners you choose to help you. Instead of looking after every small best practice and technology, you can pick a secure payment environment that offers end-to-end protection from online payment fraud.
For instance, Paymo lets you create, customize and manage payment invoices, track expenses for better visibility, and automate and integrate a payment gateway of your choice. Not a fan of PayPal or Stripe? You can use PM Payments for faster, transparent, and flexible payments. PM Payments adheres to the highest security standards, and since it’s part of the Paymo interface, bookkeeping is a breeze.
Payment fraud can devastate the bottom line and reputation. Still, despite all the signs, most eCommerce owners are yet to spend time and resources implementing more robust security measures. If you’re also in the same boat, the above tips should help you.
Start by understanding how payments flow, work on security compliances and industry best practices, and pick a lean and mean payment tech stack that allows you to focus on running your business.
First published on February 1, 2023.
Irina Maltseva is a Growth Lead at Aura and a Founder at ONSAAS. For the last seven years, she has been helping SaaS companies to grow their revenue with inbound marketing. At her previous company, Hunter, Irina helped 3M marketers to build business connections that matter. Now, at Aura, Irina is on a mission to create a safer internet for everyone.